IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman –...
Transcript of IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman –...
![Page 1: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/1.jpg)
IPv6 security: myths & legends
Paul Ebersman – [email protected] 21 Apr 2015 NANOG on the Road – Boston
![Page 2: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/2.jpg)
So many new security issues with IPv6!
![Page 3: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/3.jpg)
Or are there…
![Page 4: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/4.jpg)
IPv6 Security issues
• Same problem, different name
• A few myths & misconceptions
• Actual new issues • FUD (Fear Uncertainty & Doubt)
![Page 5: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/5.jpg)
Round up the usual suspects!
![Page 6: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/6.jpg)
Remember these?
• ARP cache poisoning
• P2p ping pong attacks
• Rogue DHCP
![Page 7: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/7.jpg)
ARP cache poisoning
• Bad guy broadcasts fake ARP
• Hosts on subnet put bad entry in ARP Cache
• Result: MiM or DOS
![Page 8: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/8.jpg)
Ping pong attack
• P2P link with subnet > /31
• Bad buy sends packet for addr in subnet but not one of two routers
• Result: Link clogs with routers sending packet back and forth
![Page 9: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/9.jpg)
Rogue DHCP
• Client broadcasts DHCP request
• Bad guy sends DHCP offer w/his “bad” router as default GW
• Client now sends all traffic to bad GW
• Result: MiM or DOS
![Page 10: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/10.jpg)
Look similar?
• Neighbor cache corruption
• P2p ping pong attacks
• Rogue DHCP + rogue RA
![Page 11: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/11.jpg)
Solutions?
• Lock down local wire
• /127s for p2p links (RFC 6164)
• RA Guard (RFC 6105)
![Page 12: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/12.jpg)
And now for something completely different!
![Page 13: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/13.jpg)
So what is new?
• Extension header chains
• Packet/Header fragmentation
• Predictable fragment headers
• Atomic fragments
![Page 14: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/14.jpg)
The IPv4 Packet
14
![Page 15: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/15.jpg)
The IPv6 Packet
15
![Page 16: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/16.jpg)
Fragmentation
• Minimum 1280 bytes
• Only source host can fragment
• Destination must get all fragments
• What happens if someone plays with fragments?
![Page 17: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/17.jpg)
IPv6 Extension Header Chains
• No limit on length
• Deep packet inspection bogs down
• Confuses stateless firewalls
• Fragments a problem
• draft-ietf-6man-oversized-header-chain-09
![Page 18: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/18.jpg)
Predictable Fragments
• Fragment Header ID field
• No requirement other than “unique”
• Some implementations predictable
• draft-gont-6man-predictable-fragment-id
![Page 19: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/19.jpg)
Results of predicting ID
• Determine the packet rate
• Perform stealth port scans
• Uncover the rules of a number of firewalls
• Count the # of systems behind a middle-box
• Perform a Denial of Service (DoS) attack
![Page 20: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/20.jpg)
Atomic Fragments
• Packet w/Fragment Header but not fragmented
• Usually forced by forged “Packet too big” msg
• Fragments can overlap
• Results: various fragmentation attacks possible
• See RFC 6946
![Page 21: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/21.jpg)
Reality
• Most of these attacks are complicated
• Most attackers are lazy and will find easier vectors of attack
• But, there are toolsets out there
![Page 22: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/22.jpg)
You’re already running IPv6…
![Page 23: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/23.jpg)
“I’m not using IPv6”
• Are you running:
- Windows 8, Server 2012, Vista or newer
- Windows clustering
- Mac OSX
- Any modern LINUX or FreeBSD
![Page 24: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/24.jpg)
Guess again
Congratulations,
you’re running IPv6
![Page 25: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/25.jpg)
Get used to it…
• Test now
• Train your staff
• Beat on your vendors
• Monitor it, don’t try to disable it
![Page 26: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/26.jpg)
But everybody says…
![Page 27: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/27.jpg)
IPSEC: the myth
IPSEC in IPv6 is better than IPv4 because it was designed in and mandated.
![Page 28: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/28.jpg)
IPSEC: the reality
• RFCs said “MUST” support IPSEC (but softening to “SHOULD”…)
• Didn’t define “support”, let vendors do it
• Vendors shipped, didn’t enable
• No PKI…
![Page 29: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/29.jpg)
IPv6 is HUGE!
• So big you can’t scan it…
• Unless you don’t really use it…
![Page 30: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/30.jpg)
Use the space we have
• Give the whole /64 to DHCP pools
• Randomize address assignments across the whole /64
• Avoid EUI-64
![Page 31: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/31.jpg)
It’s the end of the world as we know it!
![Page 32: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/32.jpg)
IPv6 will destroy the Internet!
• Apps will break
• Firewalls won’t work
• ICMP is scary
• We don’t understand it so it must be insecure
![Page 33: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/33.jpg)
Apps
• Yes, you will need to test and possibly rewrite all your code
• You need to reach everyone, including mobile devices
• Most bad ideas also in IPv4 code
![Page 34: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/34.jpg)
If it was wrong in IPv4…
• Hard coding IP addresses
• Not checking inputs/sizes
• Using relative DNS labels
• No longer have source
• Not tested since Y2K
![Page 35: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/35.jpg)
Where to read more
• RIPE presentation:
- https://ripe66.ripe.net/presentations/134-Making_an_application_fully_IPv6_compliant_(2).pdf
![Page 36: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/36.jpg)
Firewalls won’t work
• What do you do if your gear doesn’t meet your needs?
- Beat on your vendors until it does…
- But you need to know what to ask for
![Page 37: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/37.jpg)
ICMP is scary, turn it off!
• ICMPv4 wasn’t that scary…
• ICMPv6 is much more tightly defined
• Read RFC 4890
![Page 38: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/38.jpg)
We don’t understand it, so…
• If someone is telling you that IPv6 is evil incarnate, it’s because:
- They are a vendor that doesn’t support IPv6 but their competitors do - They are trying to sell you a security product
![Page 39: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/39.jpg)
Q & A
![Page 40: IPv6 security: myths & legends · IPv6 security: myths & legends Paul Ebersman – Paul_Ebersman@cable.comcast.com 21 Apr 2015 NANOG on the Road – Boston](https://reader033.fdocuments.net/reader033/viewer/2022042917/5f59403fa822df13b7440ebb/html5/thumbnails/40.jpg)
Thank you!